⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-21224Type Confusion in Google Chrome

CWE-843Type Confusion16 documents11 sources
Severity
8.8HIGHNVD
EPSS
53.4%
top 2.01%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Google ChromeChromiumDebian Chromium+4 more
Timeline
PublishedApr 26
KEV addedNov 3
KEV dueNov 17
Latest updateOct 7
CISA Required Action: Apply updates per vendor instructions.

Description

Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5google/chromeunspecified90.0.4430.85
NVDgoogle/chrome< 90.0.4430.85
debiandebian/chromium< chromium 90.0.4430.85-1 (bookworm)
Debianchromium/chromium< 90.0.4430.85-1+3

Also affects: Debian Linux 10.0, Fedora 32, 33, 34

🔴Vulnerability Details

3
GHSA
GHSA-g2xr-gx3h-vpc9: Type confusion in V8 in Google Chrome prior to 902022-05-24
OSV
CVE-2021-21224: Type confusion in V8 in Google Chrome prior to 902021-04-26
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2021

📋Vendor Advisories

4
CISA
Google Chromium V8 Type Confusion Vulnerability2021-11-03
Chrome
Stable Channel Update for Desktop: CVE-2021-212222021-04-20
Microsoft
Chromium: CVE-2021-21224 Type Confusion in V82021-04-13
Debian
CVE-2021-21224: chromium - Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote att...2021

🕵️Threat Intelligence

8
Securelist
Ten most mysterious APT campaigns that remain unattributed2022-10-07
Securelist
TOP 10 unattributed APT mysteries2022-10-07
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys2022-02-23
Fortinet
The Definition and Examples of Exploit Kits | Fortinet Blog2022-01-27
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09